04/12/2021 | News release | Distributed by Public on 04/12/2021 10:00
California's net neutrality law bars internet service providers from prioritizing, blocking, slowing down, or speeding up internet content. California's law was created after the Trump-era Federal Communications Commission rolled back the federal net neutrality regulation in 2017. The Justice Department sued to overturn the California law, and several trade associations followed with a request for a preliminary injunction to stop the California law pending the outcome of the lawsuit. Judge John Mendez of the US District Court for the Eastern District of California recently gave California a green light to move forward with the net neutrality law after denying a motion for a preliminary injunction to stop the law from going into effect. California Attorney General Xavier Becerra called the ruling a 'critical net neutrality win.'
The Information Transparency and Personal Data Control Act became the first piece of comprehensive privacy legislation introduced in the 117th US Congress. Broadly speaking, the proposed federal bill would create protections for the processing of sensitive personal information. For the collection, processing, and sharing of non-sensitive information, companies would be required to allow consumers to opt-out at any time. More specifically, it would provide additional rulemaking authority to the Federal Trade Commission to devise requirements for entities that collect, transmit, store, process, sell, share, or otherwise use the sensitive personal information of members of the public. These requirements would include obtaining 'affirmative, express, and opt-in consent' for requests involving the collection, sale, sharing, or other disclosure of sensitive personal information.
The California Consumer Privacy Act (CCPA) Regulations are updated with clarifications and examples, particularly for requirements surrounding the 'sale' of personal information. Businesses, particularly those that sell personal information, should review the latest clarifications to the CCPA. The updates also introduce the long-awaited opt-out icon to accompany the 'Do Not Sell My Personal Information' link. While previous versions of the opt-out icon were introduced and then disappeared, this time, the opt-out icon appears here to stay.
Virginia passes the second state comprehensive consumer privacy law in the US. The Virginia Consumer Data Protection Act (CDPA) applies to entities that conduct business in Virginia or produce products or services that target Virginia residents and meet one of the following thresholds: (i) during a calendar year, control or process personal data of at least 100,000 Virginia consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. The CDPA is scheduled to take effect on January 1, 2023, so businesses have a little less than two years to review and implement requirements. The next stage of the CDPA involves a working group that will submit findings, best practices, and recommendations regarding the implementation of the CDPA to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology, and Innovation by November 1, 2021.
Companies using real-time bidding for advertising should take heed of the investigation developments across the pond. The Information Commissioner's Office (ICO) has resumed its investigation into real-time bidding and the advertising technology (AdTech) industry. The investigation was paused back in May 2020 as ICO focused on prioritizing its response to the COVID-19 pandemic. The investigation has been an ongoing project since February 2019, and ICO partly started its original efforts into the review of real-time bidding due to the risks it poses to the rights and freedoms of individuals.
The European Commission launched the process towards the adoption of two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation and the other for the Law Enforcement Directive. The publication of the draft decisions is the beginning of a process towards their adoption. This involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. Once this procedure has been completed, the Commission could proceed to adopt the two adequacy decisions.
Not only vehicles, but drivers and passengers are also becoming more and more connected. As a matter of fact, many models launched over the past few years on the market integrate sensors and connected on-board equipment, which may collect and record, among other things, the engine performance, the driving habits, the locations visited, and potentially even the driver's eye movements, his or her pulse, or biometric data for the purpose of uniquely identifying a natural person. The scope of this document focuses in particular on the personal data processing in relation to the non-professional use of connected vehicles by data subjects: e.g., drivers, passengers, vehicle owners, other road users, etc. More specifically, it deals with the personal data: (i) processed inside the vehicle, (ii) exchanged between the vehicle and personal devices connected to it (e.g., the user's smartphone), or (iii) collected locally in the vehicle and exported to external entities (e.g., vehicle manufacturers, infrastructure managers, insurance companies, car repairers) for further processing.
EU Commissioner for Justice, Didier Reynders, and US Secretary of Commerce, Gina Raimondo, have made the following statement regarding the negotiations on transatlantic data privacy flows: 'The U.S. Government and the European Commission have decided to intensify negotiations on an enhanced EU-U.S. Privacy Shield framework to comply with the July 16, 2020 judgment of the Court of Justice of the European Union in the Schrems II caseā¦ Our partnership on facilitating trusted data flows will support economic recovery after the global pandemic, to the benefit of citizens and businesses on both sides of the Atlantic.'
Commissioner for Justice Didier Reynders and Chairperson of the Personal Information Protection Commission Yoon Jong In welcomed the successful conclusion of the adequacy talks between the European Union and the Republic of Korea. The adequacy dialogue confirmed the high degree of convergence between the European Union and the Republic of Korea in the area of data protection, which increased further with the recent entry into force of the new Personal Information Protection Act in the Republic of Korea and the strengthening of the powers of the Personal Information Protection Commission. The European Commission will now launch the procedure for the adoption of its adequacy finding.
Following the amendments to the Personal Data Protection Act 2012 (PDPA) which came into force on February 1, 2021, this guide on Active Enforcement Guide Framework articulates the Personal Data Protection Commission (PDPC) approach in deploying its enforcement powers to act effectively and efficiently on the increasing number of data breach incidents. This guide targets both consumers as well as organizations that handle personal data and outlines how the PDPC handles data protection complaints, investigates incidents, and the types of enforcement actions that the PDPC may undertake in various circumstances. In addition, this guide will explain the general principles for determining the financial penalty amount imposed for cases where the organizations are found to be in breach of the PDPA.
The Data Availability and Transparency Bill 2020 (the DAT Bill) proposes to create the Data Availability and Transparency scheme (DAT scheme) to enable Australian Government agencies to share public sector data with particular entities for particular purposes and under particular conditions. The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth regulator and submits comments on the DAT Bill noting that robust data protection and privacy safeguards are central to successful data sharing initiatives. The OAIC's submission recommends the inclusion of several privacy measures to provide further protections for individuals and clarity for data scheme entities about their privacy obligations.
The UN Committee on the Rights of the Child has laid out the ways that young people and children should be treated in the digital world, and how their rights should be protected. The document, adopted at the 86th session of the Committee, emphasizes that the rights of every child must be respected, protected, and fulfilled in the digital environment and that children should have access to age-appropriate and empowering digital content, and information from a wide diversity of trusted sources. The recommendations of the Committee were published in the form of a 'general comment,' following two years of consultations with a wide range of groups, involving the Member States, inter-governmental organizations, civil society, and national human rights institutions. In addition, over 700 children and young people, aged between nine and 22 years old, in 27 countries, were consulted during the process, during which they were asked how digital technology impacts their rights, and what actions they want to see taken to protect them.
Arent Fox's Privacy, Cybersecurity, & Data Protection attorneys help clients navigate Big Data issues in spaces as diverse as health care, nonprofits and trade associations, telecommunications, retail, consumer products, gaming and entertainment, and media.